Critical Unauthenticated Access Flaw Found in Grafana OnCall
A critical vulnerability in Grafana OnCall allows unauthenticated remote attackers to gain full administrative access via hardcoded default identifiers.
Grafana OnCall versions up to 1.16.11 are affected by a critical vulnerability, tracked as CVE-2026-63087, which permits unauthenticated remote attackers to obtain a valid PluginAuthToken. By sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values found in the public source tree, an attacker can bypass authentication mechanisms.
Once a token is acquired, attackers can authenticate against all internal API endpoints. This access allows for the creation of arbitrary Admin users, the revocation of legitimate tokens, and the redirection of API traffic to attacker-controlled hosts by overwriting organization configurations. With a CVSS score of 9.8, this vulnerability poses a significant security risk to affected systems.
Continue Reading
n8n Flaw Risks Multi-Issuer Hijacking
A critical identity-binding vulnerability in n8n's token exchange process allowed unauthorized account access across trusted issuers.
AI Agents Vulnerable to Data Injection
A new research paper details how 'probabilistic delimiter injection' allows attackers to bypass AI safety guards with fake data.
Envoy Gateway Authentication Bypass Leads to Secret Disclosure
A critical vulnerability in Envoy Gateway allows attackers to bypass path validation and access sensitive files on the gateway controller pod.